In the mobile device market, there are many different challenges that arise when forensically acquiring a device. Sometimes, these challenges are fairly straightforward – with iPhones, if we are given the model number and the version of the operating system, we can typically tell you what data is recoverable from the phone. Since Apple controls both the hardware and the software for their devices, there are only a handful of potential combinations to deal with.
But that’s quite different from the Android marketplace, where there are 11,868 different android devices in use so far this year (2013). When you multiply that by the 8 modern Android versions out there, that’s 94,944 hardware/software combinations that could be on a phone that we receive at our lab. In addition, remember that each separate carrier usually compiles their own custom software to ship with their phone. Some carriers also require different hardware than others, depending on their 4G/LTE infrastructure, which is one reason there are 4 different hardware versions of the Samsung Galaxy Note 2 (for example). And did I mention that most Android phones can be rooted, enabling anyone to custom-write their own operating system to run on the hardware?
All of these factors mean that there are millions of different configurations that are in use on Android equipment, and there is not a single tool that can successfully capture data from every device. The market for android forensic tools is constantly shifting – while one tool might successfully capture the data from a particular device, it might fail on another device from the same manufacturer.
That forensic tool also might lose capability if its developers are not keeping up with the latest advancements in technology. Android acquisition software needs to be constantly updated so it can continue to capture data from updated Android devices. When a user updates their operating system, some forensic artifacts which were once present in one location may no longer be there.
One additional difference between iOS and Android is that Android allows third-party apps to handle two basic functions that often produce interesting data during investigations: texting and calling. While many users continue to use the default messaging app that came with their phone, third-party solutions can provide an additional level of encryption for this data, making it much more difficult to recover during an investigation.
Unfortunately, this means that we don’t always know what can be recovered from an Android device until it’s in our possession. While most of the time we can extract information from the device, the sheer number of possible Android configurations means that we cannot promise the same result for every phone.